A critical path traversal vulnerability in Gogs allows unauthenticated attackers to achieve remote code execution by manipulating repository paths to overwrite sensitive system configuration files.

Gogs fails to properly sanitize organization names, permitting the use of path traversal sequences (../). An attacker can leverage this to place Git repositories in arbitrary locations on the filesystem, eventually overwriting hooks that execute code on the server.

This vulnerability allows for full Remote Code Execution (RCE) on the server hosting the Git service. Given the CVSS score of 10.0, the impact is catastrophic, as it allows an attacker to gain complete control over the underlying infrastructure, steal source code, and pivot into the internal network.

Immediate Action: Upgrade the Gogs installation to version 0.14.3 or higher immediately to address the path traversal flaw.

Proactive Monitoring: Monitor the filesystem for unexpected repository creation or modifications to Git hooks and configuration files.

Compensating Controls: Ensure the Gogs process runs with the least privilege necessary, restricted by filesystem permissions that prevent writing outside of designated repository directories.

Public Exploit Available: No

This is a critical vulnerability that requires immediate remediation. Organizations relying on Gogs for code management must update their systems without delay to prevent total server compromise and the potential theft or corruption of sensitive intellectual property.